A new report from the Association of British Insurers (ABI) has tallied up the cyber insurance claims from 2024 and found that payout numbers more than tripled from those recorded in 2023, with a 230% year-on-year increase.
This continues a now years-long trend of surging cyber insurance costs and difficulty in obtaining full coverage, particularly for smaller organizations. The 2024 leap is primarily attributed to more sophisticated and damaging ransomware and malware attacks emerging, and for larger organizations the biggest damage is generally seen in business disruption rather than costs of payouts and technical recovery.
Over half of all UK cyber insurance claims now involve ransomware or malware
The total number of malware attacks leading to cyber insurance claims is also sharply up, now becoming a majority (51%) of recorded incidents after sitting at 32% in 2023. This alone does not explain the massive increase in payouts, however, which surged to £197 million from just £59 million the prior year, an increase of 230%.
The report also finds an increase of 17% in new cyber insurance policies being taken out in 2024. This is in spite of a market that has been gradually tightening since the Covid pandemic years, with baseline requirements rising along with costs. Some organizations, particularly among small to medium outfits, simply cannot qualify for full necessary coverage in this environment (or in some cases for any sort of policy at all) as insurers implement cybersecurity and redundancy requirements that they do not find feasible to meet.
ABI draws its cyber insurance data from a range of over 300 clients that represent both small and very large organizations throughout the UK market. While coverage is still an issue in the UK market overall, other recent reports have noted small downturns of premium costs in certain countries and industries as new capital has entered the market to meet demand. However, some of the most heavily targeted and recovery-challenged industries continue to see global increases in rates and baseline requirements for coverage (such as health care, finance and manufacturing).
Cyber insurance and ransomware payment debates continue amidst cost spikes and crime waves
The long-simmering debate over whether or not to make ransomware payments has boiled over to now include whether or not cyber insurance should be necessary. Sentiments still seem to be in favor in general, with a broad view that even the more stringent new policy requirements remain fair due to valid risk assessment by experienced insurance firms; the threat landscape has simply gotten so bad, and shows so little prospect of slowing down in the near future, that cyber insurance and its present costs are merited. The other side of the debate believes that the existence of comprehensive insurance policies, along with ransom payments, simply encourages threat actors to keep driving forward as they feel victims with this coverage will be much more likely to capitulate to their demands.
It remains to be seen what impact continued years of escalation of attacks and costs will have on this debate. The cyber insurance numbers are all but guaranteed to be even higher for 2025, at least in the UK. They won’t be tallied by ABI until sometime late next year, but the run by ShinyHunters and Scattered Spider might top the 2024 totals all by itself. Marks & Spencer saw some of the biggest damage from Scattered Spider’s early attacks focusing on UK retailers, and has indicated to investors that it is exercising its maximum £100 million claim on its cyber insurance policy as part of its recovery. That by itself would cover a little over half of the 2024 tally.
However, two other major businesses impacted by this crime spree have said they had either minimal or no cyber insurance coverage and will thus not be seeing much of a payout: fellow UK retailer Co-op has said that its policy does not provide “meaningful” coverage for its intrusion, and Jaguar Land Rover had no cyber insurance policy whatsoever when it was hit and relied on a £1.5bn loan underwritten by the UK government to recover and assist impacted members of its supply chain. Jaguar had apparently been in the midst of negotiating a new policy when it was hit, but had been going without coverage in the interim.
While cyber insurance and ransom payments remain an expected cost of doing business for the private sector, bans for government and public institutions have greatly increased in recent years. In July the UK government announced that it was weighing plans to ban all public sector organizations from making payments, with the possibility of also instituting new requirements for private companies to inform the government when they decide to make a payment. The plan is expected to go forward in the near future, but the timeline for implementation and enforcement has yet to be settled.
Lydia Zhang, President & Co-Founder, Ridge Security, believes that this move will do little to curb criminals intentionally targeting organizations known to have strong policies: “It’s ironic that cyber insurance has become a viable solution. Without thorough security testing or a widely accepted industry standard established before setting cyber insurance terms, it opens the door to hackers who can then target organizations with the highest insurance coverage.”
